Problem
The operator 1.22.0 Go code already has the concept of Workload Identity — the error message confirms this:
clientEmail and privateKey are required for GCS credentials when workloadIdentity is not enabled
However:
- The CRD schema for
PerconaServerMongoDB does not expose a credentials.workloadIdentity field under spec.backup.storages[].gcs
credentialsSecret is still marked as required in the GCS storage spec- Even when the CRD is manually patched to add
credentials.workloadIdentity: true, the operator's Go struct does not deserialize or pass it to PBM's configuration
This means GKE environments using Workload Identity (Google's recommended approach for avoiding exported service account keys) cannot use GCS backups without a workaround.
Context
- PBM 2.13.0 (released 2026-03-03) added native GCS Workload Identity Federation support (release notes)
- The operator image
1.22.0 has the error path that checks for workloadIdentity but does not expose it through the CRD or Go structs
- The Percona Server MongoDB pods run with a Kubernetes Service Account that has GKE Workload Identity configured, granting
roles/storage.objectUser on the backup GCS bucket
- PBM 2.13.0 running inside those pods can authenticate via WI natively, but the operator never tells PBM to use it
Proposed Fix
- Add
credentials.workloadIdentity (boolean) to spec.backup.storages[].gcs in the CRD schema
- Make
credentialsSecret optional when credentials.workloadIdentity: true
- When the flag is set, the operator should skip credential secret parsing and configure PBM to use the pod's service account identity (WI) for GCS authentication
- This aligns with PBM 2.13.0's native WIF support
Current Workaround
- Manually patch the CRD via
kubectl apply --server-side --force-conflicts to add the credentials field and remove credentialsSecret from required
- Create a placeholder secret with dummy content
- Neither workaround fully works because the operator Go code does not read or pass
credentials.workloadIdentity to PBM
Environment
- Operator: 1.22.0 (Chainguard FIPS image:
cgr.dev/gameplantech/percona-server-mongodb-operator-fips:1)
- PBM: 2.13.0
- Platform: GKE Autopilot with Workload Identity
- Helm chart: psmdb-db 1.21.3 / psmdb-operator subchart 1.21.2
- IL4 environment where exporting service account JSON keys is not permitted
Problem
The operator 1.22.0 Go code already has the concept of Workload Identity — the error message confirms this:
However:
PerconaServerMongoDBdoes not expose acredentials.workloadIdentityfield underspec.backup.storages[].gcscredentialsSecretis still marked asrequiredin the GCS storage speccredentials.workloadIdentity: true, the operator's Go struct does not deserialize or pass it to PBM's configurationThis means GKE environments using Workload Identity (Google's recommended approach for avoiding exported service account keys) cannot use GCS backups without a workaround.
Context
1.22.0has the error path that checks for workloadIdentity but does not expose it through the CRD or Go structsroles/storage.objectUseron the backup GCS bucketProposed Fix
credentials.workloadIdentity(boolean) tospec.backup.storages[].gcsin the CRD schemacredentialsSecretoptional whencredentials.workloadIdentity: trueCurrent Workaround
kubectl apply --server-side --force-conflictsto add thecredentialsfield and removecredentialsSecretfromrequiredcredentials.workloadIdentityto PBMEnvironment
cgr.dev/gameplantech/percona-server-mongodb-operator-fips:1)